Closed CraftyCanine closed 4 years ago
I took some time looking into it, and it's definitely possible but would require some reworking to implement such a use-case.
I'll need to do a bit more digging, as all documentation I could find requires compiling the application with such certificates and private keys attached as assets in the application. This obviously isn't feasible since nobody would have the same certificate/private key.
Hey there, sorry for the long time on being able to take a deeper look into this but I think I have found a way to make it work!
I have switched to a new package for managing HTTP requests, which includes the ability to easily set a certificate on the request: https://github.com/flutterchina/dio#https-certificate-verification
I think the way to do this would be to add a new folder in the LunaSea application folder (certificates
, or something) where a user can drop in a certificate file (I'll figure out the naming scheme soon). Then when the application attempts to connect it will check for a certificate, and use it if needed (PEM or PKCS12).
I'll be adding this in v2.1.0 as long as no huge barriers appear!
Awesome news! Thank you for doing the research! Not everybody uses this setup so it means a lot that you'd look into it to support the less common setups as well! I'm on your TestFlight so I will definitely do the testing if I see the feature come up in a future update. Thanks again!
I have just published TestFlight v2.0.1 (55) which includes support for disabling SSL/TLS validation within LunaSea! This means that self-hosted certificates should now be supported, you can toggle the setting in the configuration pages in the settings for each service.
As I noted in the dialog, currently this disables the ability for most images to be loaded from the server currently, I am looking into a resolution for that.
Hello. Thank you so much for your work on this! In the security world, https with a self signed certificate is way better than regular http any day so this is a big step forward! However, I think you might have closed this request prematurely(?). The feature I requested was for supporting https client certificate authentication (as described here: https://techcommunity.microsoft.com/t5/iis-support-blog/client-certificate-authentication-part-1/ba-p/324623), not self signed certificates.
@CraftyCanine Sorry, you're right!
Thank you for the link, that's very useful. I'll continue to work on getting this implemented!
I am moving all feature requests to a new location, so I am closing the issue: https://feedback.lunasea.app/b/feedback/p/ssl-client-certificate-authentication
I am moving all feature requests to a new location, so I am closing the issue: https://feedback.lunasea.app/b/feedback/p/ssl-client-certificate-authentication
This link is broken.
For my setup, I tend to be extra cautious with my external interfaces. I decided to use SSL client certificate authentication (through NGINX) for all web services that my server hosts (Sonarr,Radarr,Tautulli, etc). I access them through reverse proxy under different subdomains of the main domain. For example https://sonarr.blahblah.com:443, https://radarr.blahblah.com:443. The downside is that using client certificate auth means that when I want to use apps like this, I need to connect via a VPN to access the local interface to get around the client auth requirement (http://x.x.x.x:8989/ for Sonarr for example).
I see that you already have HTTP auth. Would you consider adding client certificate authentication for LunaSea? Unfortunately, I don't think it's possible to use the OS cert store so it's possible it might be a bit difficult to implement. I see you do have HTTPS support though so if you're using standard openssl libraries, they may already have support for it.